Upgraded version of Agent Tesla remote access Trojan now come with modules dedicated to stealing credentials from applications including popular web browsers, VPN software, as well as FTP and email clients.
Agent Tesla is a commercially available .Net-based infostealer with both remote access Trojan (RAT) and with keylogging capabilities active since at least 2014.
This malware is currently very popular with business email compromise (BEC) scammers who use it to infect their victims for recording keystrokes and taking screenshots of compromised machines.
It can also be used for stealing victims’ clipboard contents data, for collecting system information, and for killing anti-malware and software analysis processes.
Credentials are not so safe
After analyzing recently collected samples of the infostealer malware, Walter discovered dedicated code used for collecting both app configuration data and user credentials from multiple applications.
“The malware has the ability to extract credentials from the registry as well as related configuration or support files,”.
Google Chrome, Chromium, Safari, Brave, FileZilla, Mozilla Firefox, Mozilla Thunderbird, OpenVPN, and Outlook are just a small sample of all the apps targeted by the latest Agent Tesla RAT variants.
Once it harvests credentials and app config data, the infostealer will deliver it to its command-and-control (C2) server via FTP or STMP using credentials bundled within its internal configuration.
“Current variants will often drop or retrieve secondary executables to inject into, or they will attempt to inject into known (and vulnerable) binaries already present on targeted hosts,”.
Agent Tesla one of the most actively used malware in attacks targeting both businesses and home users as shown by a list of the top 10 malware strains analyzed on the interactive malware analysis platform Any.Run during the last week.
While far behind Emotet in the number of samples submitted for analysis on the platform, Agent Tesla takes second place in last week’s threats by the number of uploads.
Noting is safe untill proper process is put in place to overlook security.